Boston Gang May Be Behind Car-Wash Credit-Card Thefts

At some car washes, it wasn’t just the cars that were getting cleaned out: Members of a Boston street gang were allegedly logging into the computerized cash registers of car washes across the United States, stealing credit card data and using the cloned cards to transfer money to prepaid gift cards.

The dirt on this squeaky-clean case was unearthed last month, when a South Carolina sheriff’s department contacted police in Everett, Massachusetts, because a South Carolinian’s credit card had been fraudulently used several times at a Dollar Store in Everett.

Detective Michael Lavey of the Everett police department found that a few people were visiting Dollar Stores in and around Everett, always in pairs. They would routinely purchase $500 in prepaid gift cards, paying with several different credit cards until one of the credit cards was approved, Lavey told independent security expert Brian Krebs.

Lavey posted store security footage online, but the suspected bandits behind this money-laundering scheme weren’t caught until one ended up in a Boston hospital, having been stabbed in an unrelated robbery.

Police recognized the man, allegedly a member of a local Bloods gang, from the security tapes. When his bloody pants were confiscated as evidence, police found a large number of credit cards in the pockets.

Lavey found at least one card had been cloned from a card whose data had been stolen from a Splash Car Wash in Connecticut. This led Lavey to connect with Monroe, Connecticut police detective Michael Chaves.

Chaves had been investigating card-data thefts at 14 car washes in Connecticut. He discovered many of the car washes used an outdated version of a point-of-sale software system developed by Randolph, New Jersey-based Micrologic Associates — and which could be accessed via the aging pcAnywhere remote-desktop software, sold until last month by Symantec.

Micrologic had created default pcAnywhere login credentials for its products, but many clients never changed the defaults, which stayed the same for years, Chaves told Krebs.